Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documenting CA certificates setup for hetty #21

Merged
merged 5 commits into from
Oct 8, 2020
Merged

Documenting CA certificates setup for hetty #21

merged 5 commits into from
Oct 8, 2020
+79 −2

Conversation

tcarrio
Copy link
Contributor

@tcarrio tcarrio commented Oct 3, 2020

  • Provides more accessible instructions on CA certificates
  • New sections provided for "Certificate Setup and Installation"
  • Configuring certificates for hetty using defaults and direct CLI
    arguments
  • Trusting CA certificates on Windows, macOS, and Ubuntu
  • Mention for additional Linux distros not covered by Ubuntu

Ref: #12

@tcarrio
Copy link
Contributor Author

tcarrio commented Oct 3, 2020

I just went through this process myself getting a local dev environment up and saw the note in the README, so I figured I would include some documentation.

This was only tested on Linux, but I included instructions for Ubuntu, macOS, and Windows by referencing various guides. I hope they're helpful 👍

@tcarrio
Documenting CA certificates setup for hetty
461a153 
- Provides more accessible instructions on CA certificates
- New sections provided for "Certificate Setup and Installation"
- Configuring certificates for hetty using defaults and direct CLI
  arguments
- Trusting CA certificates on Windows, macOS, and Ubuntu
- Mention for additional Linux distros not covered by Ubuntu

Ref: dstotijn#12
@tcarrio tcarrio force-pushed the docs/ca-certificates branch from 2f1b64b to 461a153 Compare October 3, 2020 02:32
RiRa12621
RiRa12621 reviewed Oct 3, 2020
View reviewed changes
dstotijn
dstotijn requested changes Oct 4, 2020
View reviewed changes
Copy link
Owner

@dstotijn dstotijn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking the effort @tcarrio! Left a few comments, but in general I think this is a good start. We'll probably refactor the certificate instructions into a separate docs site, but for now I think the README is the best place.

@elithrar
Copy link

elithrar commented Oct 4, 2020

You should consider building on, or using, mkcert: https://github.com/FiloSottile/mkcert

It automates the installation of the CA on major OS’ and is well-tested.

@tcarrio @dstotijn
Update README.md
a1bd269 
Co-authored-by: David Stotijn <[email protected]>
@tcarrio
Copy link
Contributor Author

tcarrio commented Oct 4, 2020

All of the comments look valid. I'll be applying all of them, which I can't seem to batch as a single commit in the GitHub UI. I will apply the updates and push again next chance.

@tcarrio
Copy link
Contributor Author

tcarrio commented Oct 6, 2020

This has been updated according to review. Please let me know what else may need updating 👍

@Lawri-van-Buel
Copy link

You should consider building on, or using, mkcert: https://github.com/FiloSottile/mkcert

It automates the installation of the CA on major OS’ and is well-tested.
I successfully used the rot certs from mkcert as the source CA file for Hetty.

I also completely agree that we should employ the concept of doing 1 thing, but doing it really good. makign / managing a CA should be out of scope for Hetty... but it could include instructions / inclusion of mkcert for that purpose.

As to the instructions using mkcert: github.com/FiloSottile/mkcert

  1. First either install the golang build environmnet from golang.org or skip to step 4
  2. Get a local checkout of the source from https://github.com/FiloSottile/mkcert.git make sure you have a taged version of the code by checking out a taged release (get the list of tags with git tag -l and than use the latest tag with git checkout <tagname>. if you are not changing the code tyourself you can ignore the detached message, otherwise add a branch with the -b <branch name> added to the last command.
  3. Build mkcert using the following set of instructions. go mod vendor and go build -ldflags "-X main.Version=$(git describe --tags)". This will yield the executable of mkcert for your system.
  4. the mkcert will need to generate its CA files before it can generate any other certs, if you execute it likw mkcert -install will both generate the CA certificate & key and install it into all relevant (local) certificate stores (the one form your OS, the one from firefox, etc).
  5. after that you can get the location of the Certificates file with mkcert -CAROOT it will return the directory where mkcert installed the certificates, you can COPY those into the hetty config as the CAcert and CAkey files.

I hope that helps, and if you like I am willign to also add it to the readme in a PR (after this one is accepted).

RiRa12621
RiRa12621 reviewed Oct 8, 2020
View reviewed changes
README.md
will cover how you can generate your certificate, provide them to hetty, and how
you can install them in your local CA store.

⚠️ _This process was done on a Linux machine but should_
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this should be native markdown :warning: instead of an embedded emoji

RiRa12621
RiRa12621 approved these changes Oct 8, 2020
View reviewed changes
Copy link

@RiRa12621 RiRa12621 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM since i'm not super opinionated about the emoji i mentioned.
Squash and then it's good to go IMHO.
However I'd hold of with squashing until you got LGTM from @dstotijn

@dstotijn
Copy link
Owner

dstotijn commented Oct 8, 2020

I also completely agree that we should employ the concept of doing 1 thing, but doing it really good. makign / managing a CA should be out of scope for Hetty... but it could include instructions / inclusion of mkcert for that purpose.

(...)

I hope that helps, and if you like I am willign to also add it to the readme in a PR (after this one is accepted).

@Lawri-van-Buel: I think the way forward is to use mkcert as a library (import/dependency) in Hetty, at least for installing a CA in a system/browser CA store. That way we can leverage mkcert's features for CA management without introducing a lot (arguably non-core) code in Hetty. The alternative of instructing users to manually download/use mkcert to generate a keypair and install it is a bit of a degraded user experience; especially the generating of the keypair should remain a feature of Hetty itself, just like mitmproxy, Burp Suite and OWASP ZAP have this.

For now, generating the CA keypair ourselves and instructing users to install to their system/browser CA store is fine, and leading up to an eventual v1.0 release we can work on embedding mkcert. I'll create a separate issue for this in due time, but if you want to work on it already or discuss/how to do it, that'd be much appreciated! Probably discussions would be the best place.

dstotijn
dstotijn approved these changes Oct 8, 2020
View reviewed changes
Copy link
Owner

@dstotijn dstotijn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@dstotijn dstotijn merged commit 1324010 into dstotijn:master Oct 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstotijn dstotijn dstotijn approved these changes

@RiRa12621 RiRa12621 RiRa12621 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tcarrio @elithrar @Lawri-van-Buel @dstotijn @RiRa12621